Rapid7 Blog

Update to the Metasploit Updates and msfupdate

POST STATS:

SHARE

The Short Story

In order to use the binary installer's msfupdate, you need to first register your Metasploit installation. In nearly all cases, this means visiting https://localhost:3790and filling out the form. No money, no dense acceptable use policy, just register and go. Want more detail and alternatives? Read on.

Background

A little over a year ago, Metasploit primary development switched to Git as a source control platform and GitHub as our primary source hosting service. We had outgrown SVN's largely linear, centralized development model and Git's distributed nature was quite complementary to our open source BSD license.

Since Metasploit Framework has many thousands of users, msfupdate still pointed at our legacy repository. Rather than training all our users on Git installation (not to mention dealing with the... idiosyncrasies of the Windows Git solutions), it was easier for everyone to keep that running as a distribution mechanism for bleeding-edge updates.

Things were humming along in this way, with SVN picking up changes to metasploit-framework's master branch, up until around the autumn of 2012. At that time, we saw that our legacy SVN infrastructure was getting pretty rickety, and users were complaining more and more of our SVN server's unresponsiveness. In addition, SVN itself is not that great at dealing with medium-to-large changes in the codebase (every file change necessitates a new TCP connection), whereas Git is pretty solid in that regard (changes are streamed over a single connection). So, in November of 2012, we cleaned up msfupdate, enabled switching between Git and SVN arbitrarily, and posted up a deprecation warning that the SVN route will be going away soon.

Meanwhile, in Metasploit Community, Metasploit Express, and Metasploit Pro (collectively known as the “binary installers”), through version 4.4, we actually shipped two different versions of the Metasploit Framework: one which used the in-product “Update Metasploit” administration function (it's a button in the user interface), and one which used the Metasploit Framework's msfupdate script. The former got the weekly updates we've been producing, and the latter pulled the latest commits to Metasploit Framework (including all our latest bugs).

As it turns out, if you used one, you tended not to use the other -- so it had the effect of shipping a great pile of dead code, depending on which update path you chose. When Metasploit 4.5 was released, we switched this to a single Metasploit Framework installation, and simply had msfupdate call out to the binary installation's update function to fetch code. This reduced the size of the installer, reduced confusion around troubleshooting which “msf” directory you were in, and made the updates act in the way that the user tended to want.

However, this change has a catch: in order to get the weekly updates you need to register your Metasploit installation, since the installed version of Metasploit Framework is no longer tied to source control. As of 4.5, if you install via the binary installers, you are now in the weekly updates, which are always a little behind bleeding edge (with the upside being more QA and acceptance testing of the changes). What this means that if you are installing Metasploit from the monolithic installers like a regular user, but are used to tracking bleeding-edge updates like a Metasploit developer, you are going to be out of luck, and get a “no updates found” error, until you register.

Of course, this is not a power grab from Rapid7, or an attempt to shut out the free, open source users, or anything like that. You do have options to get your updates, depending on your needs.

The Easy Way

Just activate Metasploit Community Edition. It's totally free and takes just a few seconds and a valid e-mail address. We don't force you into an onerous legal agreement or require a subscription fee or anything like that. The simplest way to acquire a license key and activate is detailed in the Metasploit Activation How To, but it's pretty self-explanatory. Visit your installation's new user setup page (usually https://localhost:3790), pick up a license key by following the links from there, and activate. If you run into problems, there's a delightful FAQ that's plenty helpful.

The Hard^H^H^H^HFun Way

You can still get a hold of Metasploit Framework without the installers, but it requires some more investment in your operating environment. Right now, the best documentation around is using the Metasploit Developer Environment, which was written primarily by Tod Beardsley of Rapid7 and Peter Van Eeckhoutte of Corelan Team, and it requires an Ubuntu dev environment. This path will get you into Metasploit Framework just as the open source developers do, with a fully functional git environment, a couple of pre-defined remotes, and your SSH aliases squared away. You are ready to go with both using Framework and hacking on Framework.

That all said, as of today, this method does not install or configure some of the components that the binary installers provide -- notably, you are on your own for setting up a PostgreSQL database, nmap, and Java. It does get you going with a decent version of Ruby, and we plan on updating the documentation with the other components Real Soon Now.

We've been working up some experimental one-liners for installing a Metasploit Framework development environment using similar techniques as the Homebrew and RVM projects. If you'd like to give these a shot, you're more than welcome. Again, these don't get your binaries squared away, but we expect to have that functionality together for the development folks, soon.

BackTrack 5, Revision 3 (BT5R3): Just running apt-get update metasploit && apt-get install metasploit will upgrade you to the latest Metasploit binaries and will switch your Metasploit Framework install over to the Git-sourced version. In this sense, it's very similar to the 4.4 experience of two separate Metasploit Framework installations. For the nitty-gritty of what's happening, or if you'd like to update your BackTrack installation yourself, it's all documented at https://gist.github.com/4393324.

While these developer-centric installers are not supported by Rapid7's support teams, you can often find help by simply posting up whatever trouble you run into on Security Street. Those folks are super helpful.

Recap

If you want the ease of use of having all the secondary binaries installed and configured for you, download the latest installer and take a minute to register your free (as in speech and beer) installation. If you prefer to track the minute-by-minute changes on Framework, then you're invited to dive in the deep end of the developer setups.

If you're already tracking development, then you are already aware that the SVN bridge is going away very soon, so you should be getting used to git for your updates -- and while you're at it, why not write some code? Metasploit is all about empowering security researchers to solve the problems unique to this operational and research space, so by getting up to speed with Git, you're well on your way to becoming the latest valued open source contributor.